The testssl.sh tool is a powerful script for testing SSL/TLS configurations, including those on HAProxy. This guide provides instructions for testing SSL certificates on HAProxy, ensuring they are valid, correctly configured, and include a complete certificate chain.
Prerequisites
Install
testssl.sh:Clone the repository from GitHub
git clone --depth 1 https://github.com/drwetter/testssl.sh.git cd testssl.sh
Make the script executable
chmod +x testssl.sh
Ensure HAProxy is running and configured to handle SSL/TLS traffic.
Check that the front-end and back-end configurations are correct.
HAProxy must expose the SSL/TLS port (default is 443) for testing.
Testing SSL Certificates on HAProxy
Basic SSL/TLS Validation
To test the SSL/TLS configuration of your HAProxy server, run:
./testssl.sh https://<haproxy_domain_or_IP>
This checks:
Protocol support.
Cipher availability.
Certificate properties.
Certificate Chain Validation
To validate the Certificate chain on HAProxy:
./testssl.sh --certs https://<haproxy_domain_or_IP>
Key Points to Check:
Certificate Validate: Ensure the certificate is active and not expired.
Certificate Chain: Verify there are no missing intermediate certificates.
Trust: Confirm that the certificate chain leads to a trusted root CA.
Testing Specific Front-ends
If HAProxy has multiple front-ends with SSL configured on different ports, specify the port:
./testssl.sh https://<haproxy_domain_or_IP>:<port>
For example:
./testssl.sh https://haproxy.example.com:9091
HAProxy-Specific Considerations
Verify Full Certificate Chain Delivery
HAProxy must be configured to provide the full certificate chain. Ensure the PEM file includes:
The server certificate.
Intermediate certificates.
You can concatenate certificates into a single PEM file as follows:
cat server.crt intermediate.crt > fullchain.pem
Update your HAProxy configuration to use the fullchain.pem:
frontend https_frontend
bind *:443 ssl crt /etc/haproxy/fullchain.pem
default_backend app_backend
Restart HAProxy After configuration Changes
After updating certificates, restart HPAroxy to apply the changes:
systemctl restart haproxy
Advanced Testing with testssl.sh
Check the Expiration Warnings
Run the following to get alerts about Certificates nearing expiration:
./testssl.sh --certs --warnings https://<haproxy_domain_or_IP>
Analyze Protocol and Cipher Support
HAProxy often uses a specific SSL/TLS configuration. Test supported protocols and ciphers:
./testssl.sh --protocols https://<haproxy_domain_or_IP> ./testssl.sh --ciphers https://<haproxy_domain_or_IP>
Generate Reports
Export results for documentation or reporting:
./testssl.sh --jsonfile haproxy_test.json https://<haproxy_domain_or_IP> ./testssl.sh --htmlfile haproxy_test.html https://<haproxy_domain_or_IP>
Troubleshooting HAProxy SSL Issues
Incomplete Certificate Chain
Ensure intermediate certificates are included in the
PEMfile.Use
testssl.sh --certsto identify missing certificates.
Certificate Not Trusted
Verify the root CA is trusted on client systems.
Use online tools like SSL Labs to cross-check.
SSL Configuration Errors
Check the HAProxy configuration file for syntax issues:
haproxy -c -f /etc/haproxy/haproxy.cfg
Ensure bind directives correctly specify SSL options.
Incorrect Certificate Deployment
Verify the certificate file and key are correct:
openssl x509 -in /etc/haproxy/fullchain.pem -text -noout openssl rsa -in /etc/haproxy/server.key -check
Example: Validating HAProxy SSL Certificate
./testssl.sh --certs https://haproxy.example.com:443
Expected Output:
Certificate is valid: Yes
Chain issues: None
Expiration: Valid until YYYY-MM-DD
Protocols and ciphers: Secure configurations
Summary
By following this guide, you can ensure that your HAProxy SSL/TLS setup is secure, the certificate is valid, and the chain is complete. Regular checks with testssl.sh help maintain a robust SSL/TLS configuration.